Manual Chapter : AFM DoS/DDoS Protection

Applies To:

Show Versions Show Versions


  • 15.0.1, 15.0.0
Manual Chapter

AFM DoS/DDoS Protection

AFM core features

BIG-IP Advanced Firewall Manager (AFM) denial-of-service or distributed denial-of-service (DoS/DDoS) Protection is one of four AFM core features:
Network Firewall
Controls access to application resourcesusing industry-standard firewall-based rules.
DoS/DDoS Protection
Monitors and mitigates against denial-of-service and distributed denial-of-service (DoS/DDoS) attacks.
IP Intelligence
Restricts or allows data center access based on lists of source IP addresses (feed lists).
Provides detailed graphical reports about network attack events.
AFM DoS/DDoS Protection is designed to protect your data center from attacks by detecting and mitigating a wide range of malicious traffic patterns and packet types. Malicious traffic patterns and packets are also referred to as
attack vectors
attack signatures
An effective DoS/DDoS solution blocks attack traffic while allowing legitimate traffic.

Automatic Detection and Mitigation

You can configure BIG-IP AFM to automatically detect and mitigate DoS/DDoS attacks using a wide variety of custom and default attack vectors. You can also enable the BIG-IP AFM Dynamic Signature feature to create new attack signatures and mitigate attacks based on traffic patterns that change over time.

Manual Detection and Mitigation

An effective DoS/DDoS protection solution requires an in-depth traffic analysis to determine the baseline traffic patterns and thresholds, as well as attack patterns and thresholds. Once a traffic analysis is complete, you can determine the appropriate DoS/DDoS attack vectors, and manually configure the detection and mitigation thresholds for each.

AFM DoS/DDoS features

The BIG-IP AFM system includes a wide variety of features to detect and mitigate against Network, SIP and DNS related DoS/DDoS attacks.

Attack Vectors

BIG-IP AFM uses industry standard Network, DNS and SIP attack vectors, or signatures, that can be configured to detect and mitigate DoS/DDoS attacks.

Dynamic Signatures

Dynamic signatures are created by AFM DoS/DDoS Protection based on changing traffic patterns over time. When a unique DoS attack is detected, a dynamic signature is created and can then be used for DoS/DDoS protection.

Custom Attack Signatures

You can create custom DoS/DDoS attack signatures for network and DNS traffic patterns and packets that do not match either the default or dynamic attack signatures.

Bad Actor Detection

Bad Actor detection identifies IP addresses that engage in attacks targeting many destinations. The AFM system can automatically blacklist Bad Actor IP addresses with specific thresholds and time limits.

About device protection and protection profiles

BIG-IP Advanced Firewall Manager (AFM) applies DoS/DDoS attack protection at two levels: Device Protection and Protection Profiles. Device Protection is used to protect the entire BIG-IP system, while Protection Profiles are used to protect individual virtual servers, known as
Protected Objects
. Having two levels of protection provides the ability to adapt detection and mitigation levels for specific devices or applications.